26 Configuring Secure Sockets Layer (SSL)

This chapter explains how to configure Secure Sockets Layer (SSL) for use with Oracle Internet Directory. If you use Secure Sockets Layer (SSL), you may also configure strong authentication, data integrity, and data privacy.

26.1 Introduction to Configuring Secure Sockets Layer (SSL)

Oracle Internet Directory ensures that data has not been modified, deleted, or replayed during transmission by using Secure Sockets Layer (SSL). SSL generates a cryptographically secure message digest—through cryptographic checksums using either the MD5 algorithm or the Secure Hash Algorithm (SHA)—and includes it with each packet sent across the network. SSL provides authentication, encryption, and data integrity using message digest.

Oracle Internet Directory ensures that data is not disclosed during transmission by using public key encryption available with SSL. In public-key encryption, the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the recipient decrypts the message using the recipient's private key.

26.1.1Supported Cipher Suites

A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, the two nodes negotiate to determine which cipher suite they will use when transmitting messages back and forth.

Table 26-1 lists the SSL cipher suites supported by Oracle Internet Directory and their corresponding authentication, encryption, and data integrity mechanisms. These are stored in the attribute orclsslciphersuite in the instance-specific configuration entry.

Table 26-1 SSL Cipher Suites Supported in Oracle Internet Directory

Cipher Suite

Authentication

Encryption

Data Integrity

SSL_RSA_WITH_3DES_EDE_CBC_SHA

RSA

3DES

SHA

SSL_RSA_WITH_RC4_128_SHA

RSA

RC4

SHA

SSL_RSA_WITH_RC4_128_MD5

RSA

RC4

MD5

SSL_RSA_WITH_DES_CBC_SHA

RSA

DES

SHA

SSL_RSA_EXPORT_WITH_RC4_40_MD5

RSA

RC4_40

MD5

SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

RSA

DES40

SHA

SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

None

3DES

SHA

SSL_DH_anon_WITH_RC4_128_MD5

None

RC4

MD5

SSL_DH_anon_WITH_DES_CBC_SHA

None

DES

SHA

SSL_RSA_WITH_AES_128_CBC_SHA

RSA

AES

SHA

SSL_RSA_WITH_AES_256_CBC_SHA

RSA

AES

SHA

26.1.2 Supported Protocol Versions

Oracle Internet Directory supports the following TLS/SSL protocols:

SSLv3

TLSv1

SSLv3 with SSLv2 Hello

Oracle Internet Directory does not support SSLv2.

TLSv1 can use all of the cipher suites listed in Table 26-1. SSLv3 and SSLv3 with SSLv2 Hello can use the first 10 cipher suites listed inTable 26-1. They cannot use the AES ciphers.SL_RSA_WITH_AES_128_CBC_SHA or SSL_RSA_WITH_AES_256_CBC_SHA.

26.1.3SSL Authentication Modes

The SSL protocol provides transport layer security with authenticity, integrity, and confidentiality, for a connection between a client and server. Three authentication modes are supported, as described in Table 26-2. The SSL authentication mode is controlled by the attribute orclsslauthentication in the instance-specific configuration entry.

Table 26-2 SSL Authentication Modes

SSL Authentication Method

Value of orclsslauthentication

Authentication Behavior

SSL No Authentication Mode, Confidentiality mode

1

Neither the client nor the server authenticates itself to the other. No certificates are sent or exchanged. Only SSL encryption and decryption is used.

SSL Server Authentication Only Mode

32

The directory server authenticates itself to the client. The directory server sends the client a certificate asserting the server's identity.

SSL Client and Server Authentication Mode

64

The client and server authenticate themselves with each other and send certificates to each other.

By default, the SSL authentication mode is set to authentication mode 1 (encryption only, no authentication). Be sure at least one Oracle Internet Directory server instance has this default authentication mode. Otherwise, you break Oracle Delegated Administration Services and other applications that expect to communicate with Oracle Internet Directory on the encrypted SSL port.

Replication does not work with SSL Server Authentication or SSL Client and Server Authentication.

During start-up of a directory server instance, the directory reads a set of configuration parameters, including the parameters for the SSL profile.

To run a server instance in secure mode, configure a single listening endpoint to communicate using LDAPS. To allow the same instance to run non-secure connections concurrently, configure a second listening endpoint to communicate using LDAP.

During installation of Oracle Internet Directory, Oracle Identity Management 11g Installer follows specific steps in assigning the SSL and non-SSL port. First, it attempts to use 3060 as the non-SSL port. If that port is unavailable, it tries ports in the range 3061 to 3070, then 13060 to 13070. Similarly, it attempts to use 3131 as its SSL port, then ports in the range 3132 to 3141, then 13131 to 13141.

Note:

If you perform an upgrade from an earlier version of Oracle Internet Directory to 11g Release 1 (11.1.1), your port numbers from the earlier version are retained.

You can create and modify multiple Oracle Internet Directory instances with differing values, using a different SSL parameters. This is a useful way to accommodate clients with different security needs.

26.1.4 Limitations of the Use of SSL in11g Release 1 (11.1.1)

The Oracle directory replication server cannot communicate directly with an SSL-enabled LDAP server that supports two way (mutual) authentication. The replication server startup fails and hangs if the LDAP server is configured for SSL mutual authentication.

26.1.5 Oracle Wallets

Oracle Wallet is a secure software container that is used to store X509 certificates, Private key, and trusted CA certificates A self-signed certificate can be stored in Oracle Wallet that can be within an enterprise.

Before removing the reference to the wallet from the instance-specific configuration, you must disable SSL by setting orclsslenable to 0.

Never delete a wallet currently in use, as defined in the attribute orclsslwalleturl, from the file system. Doing so prevents the server from starting successfully. Remove the reference to the wallet from the instance-specific configuration entry attribute orclsslwalleturl before you delete the file.

In 11g, you do not need to directly manipulate orclsslwalleturl because the SSL configuration service abstracts this out, both in WLST and Oracle Enterprise Manager Fusion Middleware Control. The SSL configuration service traps any attempts to delete a wallet that is currently in use, provided you do so by using the SSL configuration service.

26.1.6 Other Components and SSL

At installation, Oracle Internet Directory starts up in dual mode. That is, some components can access Oracle Internet Directory using non-SSL connections, while others use SSL when connecting to the directory. By default, Oracle Application Server components are configured to run in this dual mode environment when communicating with Oracle Internet Directory. If you want, you can remove the non-SSL mode and change all middleware instances to use SSL.

Enterprise User Security or a customer application might need an SSL channel with a different configuration from the default. For example, it might need SSL server authentication mode or SSL mutual authentication mode. In this case, you must create another Oracle Internet Directory component instance listening on a different SSL mode and port.

26.1.7 SSL Interoperability Mode

In no-auth mode, Oracle components developed before 11g Release 1 (11.1.1) can only connect with Oracle Internet Directory using an instance that has interoperability mode enabled (orclsslinteropmode = 1). For compatibility with those components, SSL interoperability mode is enabled by default.

26.1.8 StartTLS

Beginning with 11g Release 1 (11.1.1), Oracle Internet Directory supports startTLS. This feature enables the on-demand negotiation of an SSL session on a non-SSL port. No special configuration is required for the non-SSL port. If Oracle Internet Directory has an SSL endpoint configured, a client can use startTLS on the non-SSL port to negotiate an SSL connection on the non-SSL port with the same configuration that is on the SSL port. That is, if the SSL port uses mutual authentication, startTLS tries to negotiate mutual authentication on the non-SSL port.

26.2 Configuring SSL by Using Fusion Middleware Control

Configuring SSL by using Fusion Middleware Control consists of three basic tasks:

If this is a non auto login wallet, supply the wallet password in the Server Wallet Password field.

If necessary, expand Advanced SSL Settings.

Set SSL Authentication to Server.

Set Cipher Suite to All.

Set SSL protocol version to the appropriate version, usually v3.

Click OK.

Restart the Oracle Internet Directory instance by navigating to Oracle Internet Directory, then Availability, then Restart.

The steps for SSL-enabling in mutual-auth mode are the same, except that in the SSL Settings dialog, you would set SSL Authentication to Mutual instead of Server.

Note:

You cannot directly change the parameters for an active instance.

26.2.3 Setting SSL Parameters with Fusion Middleware Control

Table 26-3 lists the SSL parameters in Oracle Enterprise Manager Fusion Middleware Control that are applicable to Oracle Internet Directory. All of them are in the instance-specific configuration entry, which has a DN of the form:

"cn=componentname,cn=osdldapd,cn=subconfigsubentry."

SSL Attributes

Table 26-3 SSL-Related Attributes in Fusion Middleware Control

Field or Heading

Configuration Attribute

Server SSL Protocol Version

orclsslversion

SSL Wallet URL

orclsslwalleturl

Enable SSL

orclsslenable

SSL Authentication Mode

orclsslauthentication

Server Cipher Suite

orclsslciphersuite

You must restart the server for SSL configuration changes to take effect.

26.3 Configuring SSL by Using WLST

You must perform the following steps to configure SSL:

Create an Oracle wallet.

Configure SSL parameters.

Restart Oracle Internet Directory.

To create an Oracle wallet and configure SSL parameters by using wlst, perform the following steps:

Invoke wlst and connect to the host, specifying the username, password, and port of the WebLogic administration server.

If you want to use a third-party or custom Certificate Authority-issued certificate, instead of a self-signed certificate, you must first import the certificate. See the chapter on managing keystores, wallets, and certificates in Oracle Fusion Middleware Administrator's Guide for instructions.

WLST manages Oracle Internet Directory through its SSL port. The Oracle Internet Directory SSL port must be configured for no authentication or server authentication. If the Oracle Internet Directory SSL port is configured for mutual authentication, you will not be able to change Oracle Internet Directory parameters by using WLST. See "SSL Authentication Modes".

Do not set orclsslenable to 1 (SSL only) if you use Oracle Enterprise Manager Fusion Middleware Control or WLST to manage Oracle Internet Directory. Those utilities manage the server through MBeans, which use SASL over a non-SSL connection.

26.6.3 Testing SSL With Client and Server Authentication

Use this method to test an SSL configuration with SSL client and server authentication configured.

Oracle Internet Directory supports the Certificate Matching Rule. The DN and password passed on the ldapbind command line are ignored. Only the DN from the certificate or the certificate hash is used for authorization.